Bug 1901168 (CVE-2020-15436)

Summary: CVE-2020-15436 kernel: use-after-free in fs/block_dev.c
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, adscvr, airlied, bhu, blc, bmasney, brdeoliv, bskeggs, dhoward, dvlasenk, esammons, fhrbata, hdegoede, hkrzesin, iboverma, itamar, jarodwilson, jeremy, jforbes, jglisse, jlelli, jonathan, josef, jross, jshortt, jstancek, jwboyer, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, masami256, mchehab, mcressma, mjg59, mlangsdo, mmilgram, nmurray, ptalbert, qzhao, rkeshri, rt-maint, rvrbovsk, steved, tvainio, walters, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was observed in blkdev_get(), in fs/block_dev.c after a call to __blkdev_get() fails, and its refcount gets freed/released. This problem may cause a denial of service problem with a special user privilege, and may even lead to a confidentiality issue.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-02 14:41:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1901169, 1902414, 1902415, 1902416, 1930196, 1930197, 1931876, 1931877    
Bug Blocks: 1901170    

Description Guilherme de Almeida Suckevicz 2020-11-24 16:29:05 UTC 
A use-after-free flaw was observed in blkdev_get(), in fs/block_dev.c after a call to __blkdev_get() fails, and its refcount gets freed/released. This problem may cause a denial of service problem with a special user privilege, and may even lead to a confidentiality issue.

Reference:
https://lkml.org/lkml/2020/6/7/379
Comment 1 Guilherme de Almeida Suckevicz 2020-11-24 16:30:07 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1901169]
Comment 2 Justin M. Forbes 2020-11-25 14:50:39 UTC 
This was fixed for Fedora with the 5.7.6 stable kernel updates.
Comment 5 Rohit Keshri 2020-11-28 16:51:05 UTC 
Mitigation:

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Comment 8 errata-xmlrpc 2021-02-02 10:11:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:0354 https://access.redhat.com/errata/RHSA-2021:0354
Comment 9 errata-xmlrpc 2021-02-02 12:00:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:0336 https://access.redhat.com/errata/RHSA-2021:0336
Comment 10 errata-xmlrpc 2021-02-02 12:02:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:0338 https://access.redhat.com/errata/RHSA-2021:0338
Comment 11 Product Security DevOps Team 2021-02-02 14:41:53 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-15436
Comment 14 errata-xmlrpc 2021-04-27 08:31:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2021:1376 https://access.redhat.com/errata/RHSA-2021:1376
Comment 16 errata-xmlrpc 2021-06-22 17:36:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2021:2523 https://access.redhat.com/errata/RHSA-2021:2523